The reason I brought up the qustion, "Why does XACML support not necessarily mean much?" was basically because I found that Mark's paper answered it. The quote I provided as an answer from Mark on this question was as follows: "It is unclear if additional services besides XACML R/R are required to provide true PDP-PEP interoperability."

In that paper, Mark went on to say the following: "Many of these concerns would be mitigated by a formal interoperability test among vendors, but none has been announced or planned."

That paper is dated May 31, 2007 and boom, Burton Group is announing today (June 14, 2007) that the OASIS XACML Technical Committee has put together an interoperability project team that will put together a public XACML interoperability demo on June 28. That's pretty fast to go in one month from "no plan" to "having a conference." Here's the Burton Group blog entry on the topic:

Wednesday May 30, 2007

Previously, in my So many access managers, so little time entry, I blogged about the Burton Group's, specifically Mark Diodati's, research of five players in the Web Access Managment (WAM) market: CA, IBM, Oracle, RSA & Sun Microsystems. The disclaimer is that I work for Sun Microsystems.

Well, Mark's done it again: only bigger and better than before and with more humor and clarity. If your organization manages or wants to manage access to web resources, this is must-know info. If you're just generally into technology, you might also find this paper useful. If your a lounge singer, a brain surgeon, or a hermit, you might also be amused by this paper. One of the section headings in Mark's paper is "Federation and WAM: Best Friends Forever (BFF)". Now that's just plain funny, no matter what you do for a living. Are you telling me that's not funny? Anyway, there are other humorous section headings. I mean, in a dry (but very funny) kind of way.

-----

The Title of the Research Paper

The paper is referred to as a Market Landscape paper. The title is Web Access Management Market 2007: Expanding Boundaries Here's a teaser about the paper: This is just a Teaser.

The following is what I explained in my previous entry about Burton Group, in terms of accessing their research:

Your company has an annual subscription, you get everything. Your company doesn't have an annual subscription, you get a few things here and there. One can do a guest log in. Then you can get something. I have no idea what that will get you, but something free anyway.

The "Expanding Boundaries" part of the title is in reference to how the players in this market are not only improving upon the traditional functionality of WAM products, but they are intruducing new functionality and greater interoperability.

-----

Ten Players, Not Just Five

Mark has written five papers about individual WAM products. That's what my previous blog entry on this topic discussed. However, this market landscape paper covers ten companies: the five original and five more. For the five new companies, he provides a synopsis of their WAM product(s).

-----

The Expanding Functionality

First, he goes through some of the new functionality being introduced in WAM products outside of the traditional functionality such as single sign (SSO) and authorization. He covers a few areas of new funtionality, this includes the following: provding Web services security, XACML support, and Integration with eSSO. For the expanding functionality, he provides a table that lists the ten players and explains what their product offers in that specific area of functinality.

-----

Other Areas Covered

The paper also covers the traditional functionality of WAM products: things like what the basic components are and how such functionality can be achieved in different ways by different products, even how such basic funtionality is improving. In addition, he discusses the many identity management vendor acquisitions.

-----

Is the Paper Really So Clear?

Yes, I think it is. It could partially be that I'm getting used to this information and I'm simply starting to get it. But I think that Mark has provided key info in a few areas that allowed me to see the light where I did not see the light before. The following are examples of how things suddenly became clear to me. In the table below, the "Subject" represents an area where my understanding was lacking. The "Quoted Material" represents the exact wording from the paper that helped me understand things better. Of course it's out of context. It would be better to see the entire paper.

Subject

Quoted Material

Why does "XACML support" not necessarily mean much?

It is unclear if additional services besides XACML R/R are required to provide true PDP-PEP interoperability.

WAM Integration with eSSO

In some respects, WAM systems and eSSO systems both provide SSO functionality to heterogeneous applications. However, eSSO systems work with non-web applications, require a client, and achieve SSO via the replay of user credentials (typically passwords). In contrast, WAM systems require only a browser, generally only work with web applications, and use a cryptographically protected session ticket compartmentalized in an HTTP cookie to provide SSO to heterogeneous applications. While minor overlap exists between the two product classes
(i.e., providing SSO to web applications), these products are complementary.

Furthermore, I found areas that I understood somewhat well before to be even more clear to me after reading his paper. For example he explains how WAM products can usually support both reverse-proxy servers and endpoints, but that each WAM product is "architected toward one mechanism or the other." I don't know, that just makes it so much more clear than it was before. By the way, Sun Java System Access Manager is more endpoint centric.

I'll close with more or less what I said at the close of my previous blog entry on this topic, which was that if you're in the market for a WAM product make each company that's presenting to you do a proof of concept because this stuff is complicated. It's more clear than it was before (or that might just be me), but it's still complicated.

Friday Apr 06, 2007

If you want to learn a lot, fast, about what's available on the market for access management software products, two words, Burton Group. Access Manager this, Access Manager that, and Access Manager the other.

What's My Point of Reference?

Again, I'm a technical writer for Sun Microsystems. I write about Sun Java System Access Manger, specifically the agents; by that I mean the Access Manager Policy Agent software set. Of course, the Burton Group has done research on Sun Java System Access Manager, but they've done research on several access managers (if I can be so bold to call them “access managers.”) The Burton Group calls the market for this product “Web Access Management Market.” If you want to make a competitive analysis, Burton Group is a good place to start. One thing I've learned in life, you can't be all things to all people. None of these Web Access Manager systems or WAMs, as Burton Group is calling them, is going to fit everyone. So, while Sun Java System Access Manager is obviously the best (a little humor), there's going to be some corner case (more humor) where it isn't the best choice .

It turns out that I have full access to all of Burton Group's research but, much to my dismay, it's not because I'm so charming. I work for Sun Microsystems and Sun has an annual subscription with Burton Group. That's the way it works. Your company has an annual subscription, you get everything. Your company doesn't have an annual subscription, you get a few things here and there. One can do a guest log in. Then you can get something. I have no idea what that will get you, but something free anyway.

I actually contacted Burton Group to ask if people could buy a research paper here or there from them. In a word, “No!” Now, I could just attach all the cool research papers I got right here in my blog, but I might go to jail: a lot of downside, not much upside.

The good thing for me is that they were the sweetest people in the world. My first thought was “Wow! Sun must be paying lots of money for this annual subscription.” But then I don't know. Usually, you can't even buy customer service like that. Still I'm not letting down my guard. As I've said before, “I guess I don't trust anybody...”

All the same, I think they go a long way to make things right. This is from their Web site:

Q: What is Burton Group's vendor-independence policy?

A: At Burton Group, we take pride in our vendor independence. More than 80 percent of Burton Group's customers are enterprise organizations, and our singular commitment to be an unbiased advocate for the enterprise customer guides all of our work.

Burton Group does not publish vendor-sponsored research of any kind. Since the company's founding in 1990, we have never published any vendor-sponsored research. Likewise, Burton Group covers relevant vendors and products without regard to whether vendors subscribe to or use our services. In all of our endeavors, we maintain independence from vendor agendas, providing unbiased assessments of markets, vendors, and products. In keeping with its mission, Burton Group provides technically in-depth, independent research and advice for the enterprise technologist.

Who Did the Research on the Web Access Management Market?

ERROR IN THIS NEXT PARAGRAPH

It was all done by one person, Mark Diodati. You can see by his bio that he worked at a very high level for CA (Computer Associates – it isn't Computer Associates? Everything seems to be just CA now.) for 15 years. Anyway, one of the research papers is about CA SiteMinder. I think it's natural for me to question a former CA VP reviewing a CA product. Back to my “I guess I don't trust anybody” quote. Still his writing comes across painfully objective. So, five brownie points for that. It would seem hard to find an expert on WAM products who didn't actually somewhere in the past work with one WAM product more than the others.

HOW'S THE ABOVE PARAGRAPH WRONG?

I wouldn't normally correct an error I've made in my blog, but Mark Diotadi himself added a comment pointing out an error I made that changes my outlook a bit. Mark didn't work at CA for 15 years. At the time, his bio showed 15 years experience in information security in general. His Bio now shows 16 years total experience. Somehow, I jumped to the conclusion that he worked at CA the entire time, even though his bio mentions other companies, such as RSA. In his comment, Mark breaks the time down a little more specifically as such:

"I worked at CA for two years. I also worked at RSA for six years, and as you point out they have a WAM product as well."

Now, if we can just get IBM, Oracle, and Sun to each hire him for two years, we'll really be on to something.

ERROR CORRECTION COMPLETE

Another thing about Mark that I found was that he sometimes contributes to the Burton Group Identity Blog, such as this entry: http://identityblog.burtongroup.com/bgidps/2007/03/the_latticework.html. I like that entry because it points out how confusing it all is. Does identity management really have to be this complex? It seems the answer is “Yes, for now at least!”

Okay, What 's the Research Already?

I'm talking about five papers that each have these labels:

Identity and Privacy Strategies

In-Depth Research Product Profile

The specific titles are as follows:

CA SiteMinder v6 SP5 (November 29, 2006)

Oracle Access Manger 10gR3 (December 06, 2006)

RSA Access Manager 6.0 (December 13, 2006)

Sun Java System Access Manager 7.1 (March 02, 2007)

IBM Tivoli Access Manager for e-business v.6.0 (March 26, 2007)

The section titles tend to be the same so it's relatively easy to compare one product to another. For example, there's a section titled “Bottom-Line Assessment.” That's broken into two sections that pretty much say:

Things about this WAM product that might influence you to buy it

Things about this WAM product that might influence you to buy another WAM product

Each paper includes pricing information, a graphic of the architecture, and a lot of other things. Another reminder: I write about Access Manger Policy Agent, which is a policy enforcement point (PEP). Therefore info about PEPs (and there was a decent amount) was really good for me. I have a better sense now about how other WAM products handle the PEPs. There's some variety there. And each method has it's advantages and disadvantages.

Where To Go From Here?

I'm not sure what's next. From these five papers, one could definitely make it even easier to compare these products by coming up with even more charts, tables, and graphics. A lot of the hard work has been done. Soon, I'm going to contact Burton Group again to talk to their experts. Apparently, I can do that. I can have “dialogues” with Burton Group experts. I keep thinking that they're going to figure out that I was accidently added to the wrong list and then they're going to make me give back everything I've already learned

Now, I don't know nothing about nothing. But I can tell you this, if you're ever in the market for a WAM product, make the sales/marketing/engineering reps, Sun's and/or whoever else's, do a proof of concept. Because this stuff is complex.